| How To Secure Termial Services via an IP Filter
Below are the steps needed to secure terminal services on a Windows 2000 or Windows XP computer. These steps should also work for Windows 2000 Server or Windows 2003 Server. Follow each step carefully and become familiar with the IP Security Policy Management console so you can revist your IP security policy and modify as needed.
(1) Set up the IP Security Policy Management console:
Go to Start Run... and type MMC [enter]
In MMC go to the File menu and select "Add/Remove Snap-in...", click the Add... button and add:
IP Security Policy Management (select local computer)
AND
IP Security Monitor
(click OK)
(2) Create the "Block Action":
In the left column of the IP Security Policy Management console, single-click IP Security Policies on local computer to select it and then right-click it and choose Manage ip filter lists and filter actions...
Click the Manage Filter Actions tab, UNSELECT the "Use Add Wizard" checkbox, click the Add... button, under the Security Methods tab select "Block", under the General tab enter the name "Block" and description "Block unknown IP packets from passing through.", click the OK button (but do not yet close Manage ip filter lists and filter actions).
(3) Create the "Block IP Filter":
Still in Manage ip filter lists and filter actions...
Go to the Manage IP Filter Lists tab, click the Add... button, enter name "Block Incoming Terminal Services IPs", enter description "Block Incoming Terminal Services IPs", UNSELECT the "Use Add Wizard" checkbox, click the Add... button, under the Addressing tab, set Source address to "Any IP Address", set Destination address to "My IP Address" (leave mirrored checked), under the Protocol tab set protocol type to TCP, select "to this port" and enter 3389, click OK. (By default we are blocking ALL IP addresses coming to 3389. In the next step we will allow specific addresses which will override the block.)
(4) Create the "Allow IP Filter":
Go to the Manage IP Filter Lists tab, click the Add... button, enter name "Allow Incoming Terminal Services IPs", enter description "Allow Incoming Terminal Services IPs", UNSELECT the "Use Add Wizard" checkbox, click the Add... button, under the Addressing tab, set Source address "A specific IP Address", ENTER THE IP ADDRESS YOU WANT TO ALLOW ACCESS TO TERMINAL SERVICES, set Destination address to "My IP Address" (leave mirrored checked), under the Protocol tab set protocol type to TCP, select "to this port" and enter 3389, click OK. (Repeat this for every IP address you want to allow.)
(5) When you are done adding IP addresses, close Manage ip filter lists and filter actions.
(6) Create a new IP security policy:
Right-click IP Security Policies on local computer and choose Create IP Security Policy, click Next, name to policy "Terminal Services IP Filter", click Next, UNSELECT "Activate the default response rule", click Next, ensure the "Edit properties" is selected and click the Finish button.
(7) Assign the "Allow Filter" to the "Allow Action":
You should now see the Terminal Services IP Filter Properties window. UNSELECT the "Use Add Wizard" checkbox, click the Add... button. Under the IP Filter List tab select "Allow Incoming Terminal Services IPs", then go to the Filter Action tab select "Permit", click OK.
(8) Assign the "Block Filter" to the "Block Action":
You should still be at the Terminal Services IP Filter Properties window. UNSELECT the "Use Add Wizard" checkbox, click the Add... button. Under the IP Filter List tab select "Block Incoming Terminal Services IPs", then go to the Filter Action tab select "Block", click OK.
(9) You should still be at the Terminal Services IP Filter Properties window. Make sure both "Allow Incoming..." and "Block Incoming..." are checked. Click OK to close the Terminal Services IP Filter Properties window.
(10) Activate the policy:
In the left column of the "IP Security Policies on local computer" console, left click to select "IP Security Policies on local computer". In the right column right-click Terminal Services IP Filter and select "Assign". This final step activates the filter.
(11) Test to ensure no mistakes were made and allowed IP addresses can connect.
--Robert Evans,
3-7-2005
|
Robert Evans
Director, Office of IT
Managing Director, TRC
bob@purdue.edu
(765) 496-1819
Mike Eldridge
Coordinator of Distance
Education and User Services
eldridge@purdue.edu
(765) 49-40944
Christian Mattix
Database System Administrator
and e-Portfolio Coordinator
cmattix@purdue.edu
(765) 494-3416
Wesley Shoop
Site Specialist, User Services
shoopw@purdue.edu
(765) 49-42658
Alex Noguera
Site Specialist, User Services
anoguera@purdue.edu
(765) 49-42659
Teja Josyula
Webmaster,
edit@purdue.edu
(765) 49-67323
Brenda Hash
Clerk,
Technology Resources Center
trc@purdue.edu
(765) 49-45677
Karen Hearn
Clerk,
Technology Resources Center
trc@purdue.edu
(765) 49-45677
Yue Pan
Graduate Programmer,
Administrative Databases
ypan@purdue.edu
(765) 49-42658
Education IT Phone:
(765) 49-42658
TRC Phone:
(765) 49-45677
TRC Web Site:
 |
